Merge pull request #1686 from HackTricks-wiki/update_Pointer_Leaks_Through_Pointer-Keyed_Serialization__20251217_022005

Pointer Leaks Through Pointer-Keyed Serialization in NSDicti...

Author: carlospolop

src/binary-exploitation/common-exploiting-problems.md

@@ -108,15 +108,14 @@ int snprintf(char *str, size_t size, const char *fmt, ...) {
 }
 ```
 
-
 </details>
 
 `LD_PRELOAD=./hook.so ./validate_harness payload.json` exfiltrates the internal flag and confirms the crash oracle without patching the binary.
 5. **Shrink the fuzz space.** Disassembly exposed an XOR key reused across the flag comparison, meaning the first seven bytes of `flag` were known. Only fuzz the nine unknown bytes.
-6. **Embed fuzz bytes inside a valid JSON envelope.** The AFL harness reads exactly nine bytes from `stdin`, copies them into the flag suffix, and hard-codes every other field (constants, tree depths, arithmetic preimage). Any malformed read simply exits, so AFL spends cycles on meaningful testcases.
+6. **Embed fuzz bytes inside a valid JSON envelope.** The AFL harness reads exactly nine bytes from `stdin`, copies them into the flag suffix, and hard-codes every other field (constants, tree depths, arithmetic preimage). Any malformed read simply exits, so AFL spends cycles on meaningful testcases:
 
 <details>
-<summary>AFL-friendly harness for structured JSON</summary>
+<summary>Minimal AFL harness</summary>
 
 ```c
 #include <stdint.h>
@@ -154,7 +153,62 @@ int main(void) {
 
 This workflow lets you triage anti-debug-protected JNI validators quickly, leak secrets when needed, then fuzz only the meaningful bytes, all without touching the original APK.
 
-### Related pages
+## Pointer-Keyed Hash Table Pointer Leaks on Apple Serialization
+
+### Requirements & attack surface
+
+- A service accepts attacker-controlled property lists (XML or binary) and calls `NSKeyedUnarchiver.unarchivedObjectOfClasses` with a permissive allowlist (e.g., `NSDictionary`, `NSArray`, `NSNumber`, `NSString`, `NSNull`).
+- The resulting objects are reused and later serialized again with `NSKeyedArchiver` (or iterated in deterministic bucket order) and sent back to the attacker.
+- Some key type in the containers uses pointer values as its hash code. Before March 2025, `CFNull`/`NSNull` fell back to `CFHash(object) == (uintptr_t)object`, and deserialization always returned the shared-cache singleton `kCFNull`, giving a stable kernel-shared pointer without memory corruption or timing.
+
+### Controllable hashing primitives
+
+- **Pointer-based hashing:** `CFNull`’s `CFRuntimeClass` lacks a hash callback, so `CFBasicHash` uses the object address as the hash. Because the singleton lives at a fixed shared-cache address until reboot, its hash is stable across processes.
+- **Attacker-controlled hashes:** 32-bit `NSNumber` keys are hashed through `_CFHashInt`, which is deterministic and attacker-controllable. Picking specific integers lets the attacker choose `hash(number) % num_buckets` for any table size.
+- **`NSDictionary` implementation:** Immutable dictionaries embed a `CFBasicHash` with a prime bucket count chosen from `__CFBasicHashTableSizes` (e.g., 23, 41, 71, 127, 191, 251, 383, 631, 1087). Collisions are handled with linear probing (`__kCFBasicHashLinearHashingValue`), and serialization walks buckets in numeric order; therefore, the order of serialized keys encodes the bucket index that each key finally occupied.
+
+### Encoding bucket indices into serialization order
+
+By crafting a plist that materializes a dictionary whose buckets alternate between occupied and empty slots, the attacker constrains where linear probing can place `NSNull`. For a 7-bucket example, filling even buckets with `NSNumber` keys produces:
+
+```text
+bucket:          0 1 2 3 4 5 6
+occupancy:       # _ # _ # _ #
+```
+
+During deserialization the victim inserts the single `NSNull` key. Its initial bucket is `hash(NSNull) % 7`, but probing advances until hitting one of the open indices {1,3,5}. The serialized key order reveals which slot was used, disclosing whether the pointer hash modulo 7 lies in {6,0,1}, {2,3}, or {4,5}. Because the attacker controls the original serialized order, the `NSNull` key is emitted last in the input plist so the post-reserialization ordering is solely a function of bucket placement.
+
+### Resolving exact residues with complementary tables
+
+A single dictionary only leaks a range of residues. To determine the precise value of `hash(NSNull) % p`, build **two** dictionaries per prime bucket size `p`: one with even buckets pre-filled and one with odd buckets pre-filled. For the complementary pattern (`_ # _ # _ # _`), the empty slots (0,2,4,6) map to residue sets {0}, {1,2}, {3,4}, {5,6}. Observing the serialized position of `NSNull` in both dictionaries narrows the residue to a single value because the intersection of the two candidate sets yields a unique `r_i` for that `p`.
+
+The attacker bundles all dictionaries inside an `NSArray`, so a single deserialize → serialize round trip leaks residues for every chosen table size.
+
+### Reconstructing the 64-bit shared-cache pointer
+
+For each prime `p_i ∈ {23, 41, 71, 127, 191, 251, 383, 631, 1087}`, the attacker recovers `hash(NSNull) ≡ r_i (mod p_i)` from the serialized ordering. Applying the Chinese Remainder Theorem (CRT) with the extended Euclidean algorithm yields:
+
+```text
+Π p_i = 23·41·71·127·191·251·383·631·1087 = 0x5ce23017b3bd51495 > 2^64
+```
+
+so the combined residue uniquely equals the 64-bit pointer to `kCFNull`. The Project Zero PoC iteratively combines congruences while printing intermediate moduli to show convergence toward the true address (`0x00000001eb91ab60` on the vulnerable build).
+
+### Practical workflow
+
+1. **Generate crafted input:** Build the attacker-side XML plist (two dictionaries per prime, `NSNull` serialized last) and convert it to binary format.
+   ```bash
+   clang -o attacker-input-generator attacker-input-generator.c
+   ./attacker-input-generator > attacker-input.plist
+   plutil -convert binary1 attacker-input.plist
+   ```
+2. **Victim round trip:** The victim service deserializes with `NSKeyedUnarchiver.unarchivedObjectOfClasses` using the allowed classes set `{NSDictionary, NSArray, NSNumber, NSString, NSNull}` and immediately re-serializes with `NSKeyedArchiver`.
+3. **Residue extraction:** Converting the returned plist back to XML reveals the dictionary key ordering. A helper such as `extract-pointer.c` reads the object table, determines the index of the singleton `NSNull`, maps each dictionary pair back to its bucket residue, and solves the CRT system to recover the shared-cache pointer.
+4. **Verification (optional):** Compiling a tiny Objective-C helper that prints `CFHash(kCFNull)` confirms the leaked value matches the real address.
+
+No memory safety bug is required—simply observing serialization order of pointer-keyed structures yields a remote ASLR bypass primitive.
+
+## Related pages
 
 {{#ref}}
 ../mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
@@ -169,5 +223,6 @@ This workflow lets you triage anti-debug-protected JNI validators quickly, leak
 - [FD duplication exploit example](https://ir0nstone.gitbook.io/notes/types/stack/exploiting-over-sockets/exploit)
 - [Socat delete-character behaviour](https://ir0nstone.gitbook.io/hackthebox/challenges/pwn/dream-diary-chapter-1/unlink-exploit)
 - [FuzzMe – Reverse Engineering and Fuzzing an Android Shared Library](https://hackmd.io/@sal/fuzzme-mobilehackinglab-ctf-writeup)
+- [Pointer leaks through pointer-keyed data structures (Project Zero)](https://projectzero.google/2025/09/pointer-leaks-through-pointer-keyed.html)
 
 {{#include ../banners/hacktricks-training.md}}